Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Researchers Find 'Backdoor' in Encrypted Police and Military Radios (vice.com) 105

A group of cybersecurity researchers has uncovered what they believe is an intentional backdoor in encrypted radios used by police, military, and critical infrastructure entities around the world. The backdoor may have existed for decades, potentially exposing a wealth of sensitive information transmitted across them, according to the researchers. From a report: While the researchers frame their discovery as a backdoor, the organization responsible for maintaining the standard pushes back against that specific term, and says the standard was designed for export controls which determine the strength of encryption. The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute. "There's no other way in which this can function than that this is an intentional backdoor," Jos Wetzels, one of the researchers from cybersecurity firm Midnight Blue, told Motherboard in a phone call.

The research is the first public and in-depth analysis of the TErrestrial Trunked RAdio (TETRA) standard in the more than 20 years the standard has existed. Not all users of TETRA-powered radios use the specific encryption algorithim called TEA1 which is impacted by the backdoor. TEA1 is part of the TETRA standard approved for export to other countries. But the researchers also found other, multiple vulnerabilities across TETRA that could allow historical decryption of communications and deanonymization. TETRA-radio users in general include national police forces and emergency services in Europe; military organizations in Africa; and train operators in North America and critical infrastructure providers elsewhere.

This discussion has been archived. No new comments can be posted.

Researchers Find 'Backdoor' in Encrypted Police and Military Radios

Comments Filter:
  • Apparently not a very close look, considering there is no link to the Fine Article.

  • by Kreigh ( 315189 ) <Kreigh@noSpam.Tomaszewski.net> on Monday July 24, 2023 @02:56PM (#63712196)

    Now we need to get this time tested backdoor into current end to end encryption platforms. /s

  • by williamyf ( 227051 ) on Monday July 24, 2023 @03:06PM (#63712224)

    After all, pedofiles can also be police, firefighters and military.

    Without this backdoor, they can use their encripted equipment to coodinate their pedofile activities, so this backdoor is aligned with the new laws that some countries wnat to pass on end to end encrypted apps.

    Glad to see that, for once, the govt is leading by example /s

    • by Tablizer ( 95088 )

      IT History 101: Systems with back-doors end up taking it in the back-door.

    • by znrt ( 2424692 )

      Without this backdoor

      they just use the next one?

      (sorry, didn't bother with the article, my comment might be singularity level of off-topic)

    • Naah, never attribute to malice what is adequately explained by vendors-only standards committees and half-assed implementations by said closed-shop no-bid-contract vendors.
  • by Sebby ( 238625 ) on Monday July 24, 2023 @03:06PM (#63712226)

    "HA HA!"

    They keep wanting access to everyone else's communications, I wonder how the shoe feels now that it's on the other foot.

  • by _dj6_ ( 8250908 ) on Monday July 24, 2023 @03:07PM (#63712234)
    Ah, so this means the Russians may be using this in operations against US rail infrastructure, so the U.S./NSA has decided they better let folks know about this one...
    • by Anonymous Coward
      Eh most US rail companies are still using old fashioned analog FM transceivers with some use of digital P25 radios here and there. I've not heard of anything encrypted being used by US rail corporations. More to the point, its technically not legal to use encryption or obfuscation of radio communications used for commercial/private businesses (which rail companies are) in the frequency bands they occupy. Only the government gets to play with the encrypted radios stuff in the US as far as the FCC is concerne
    • Maybe the Russians, or maybe not, but they sure could have some fun with this, especially if they deepfake some voices.

      My thinking is that they setup a base of operations somewhere in a big city. They wait for normal police chatter to go on, then deepfake a senior officer saying "all units go to number 1 Fake Street". All units go to there, meanwhile they do whatever it is they want to do on the other side of town. The sound of someone's voice is about all the authentication that can really be used on an op

  • Export controls (Score:5, Interesting)

    by serafean ( 4896143 ) on Monday July 24, 2023 @03:08PM (#63712240)

    > the standard was designed for export controls which determine the strength of encryption.

    So, yes, the standard was backdoored. Its no secret these crypto standards were set so that TLAs could decrypt them. Case in point: DES. We're still waiting on some elliptic curves, those in NIST are reportedly smelly...

    If this comes back to bite states in the backside, I'll consider this the comedy of the year.

    • Re:Export controls (Score:5, Insightful)

      by TechyImmigrant ( 175943 ) on Monday July 24, 2023 @03:27PM (#63712270) Homepage Journal

      Those are just the headline problems everyone knows about.
      If you dig into the specs you will find much more.

      Try the DFs (Derivation Functions) in SP800-90A. Just take a look and consider whether those constructions look a bit suspect.

    • There’s some fine elliptic curves on XHamster
    • How are those the same thing? The export controls limit the strength of encryption tech that can be sold to other nations. A backdoor is a secret way to bypass access controls or encryption. Cryptography that was relatively weak over 20 years ago (when the standard was developed) is going to be incredibly weak now. Twenty years ago, on the other hand, this relatively weak encryption still took long enough to break that doing so in near-real-time would require resources rarely found outside of national g
      • > The export controls limit the strength of encryption tech that can be sold to other nations.

        And why would you want to limit "arbitrarily" the strength of encryption, unless it is to some non-arbitrary limit that you know you can break if need be. That's a backdoor.

  • Well, well, well. Now who would want to see vulnerability in law enforcement networks around the world. Gosh.

    Hey, has anyone seen my lost bag of coke? That stuff is sure expensive, somebody must be making a lot of money from it.

    • lol the amount of coke consumed by Americans must be astronomical. Surprised you don't find bags of it lying around more often. Replaced by meth I guess.

  • by haggie ( 957598 ) on Monday July 24, 2023 @03:28PM (#63712272)

    My government tells me that encryption backdoors are good and necessary.

    Which is it?

  • by chill ( 34294 ) on Monday July 24, 2023 @03:55PM (#63712308) Journal

    I wonder if the editors know that the way they're linking the article just doesn't show up in mobile? Good thing I read it a little while ago.

    The issue is someone took the serious effort to export data out of the secure enclave of the radios. The encryption algorithms are decades old, and from the time when you needed a license to export anything greater than 40 bits. The back door they're talking about is being able to trigger the use of export grade encryption, dropping down the complexity to only 32 bits. Back in the 90s they thought this was good enough. But these things are still in use today and the algorithms were closed source and kept secret. Now that someone has been able to look at them, they discovered issues that can't easily be fixed.

    There are a total of four algorithms, and the one with the back door for export grade encryption is the one for commercial use. The one used for emergency services, including police, has some funniest stuff in the S-box functions that raise all sorts of red flags.

    • > I wonder if the editors know that the way they're linking the article just doesn't show up in mobile?

      I don't see it on a desktop either. Here's a related article from Wired [wired.com]

    • The one used for emergency services, including police, has some funniest stuff in the S-box functions that raise all sorts of red flags.

      That sounds like that'd be interesting to read up on. Know of any layman-friendly discussion of the subject?

      • by chill ( 34294 )

        No. :-)

        Cryptography Engineering by Ferguson, Schneier, and Kohno discusses them a bit in the section on DES, as well as their use in the AES and Twofish cyphers. Schneier's Applied Cryptography goes into the implementation in DES in more detail (2-pages).

        An S-Box is a substitution box that provide nonlinearity. It is basically just a lookup table that is publicly known. Without them, a cipher can be written as a bunch of binary additions, which would make it easy for a mathematical attack using linear algeb

        • Ah, gotcha. I read (most of) Applied Cryptography years ago. I suppose I'll have to wait for Blackhat or DEFCON to eventually publish this talk on their Youtube channel. Thanks!
          • by chill ( 34294 )

            This is the quote from the Wired article [wired.com]:

            They thought they found something suspicious in a substitution box, or S-box, used in the algorithm, which contains a bad property they say would "never appear in serious cryptography." The researchers didn't have sufficient skill to examine it to determine if it was exploitable. But Leander's[1] team did examine it and he says it's not.

            "In many ciphers if you used such a box it would break the cipher very badly," he says. "But the way it's used in TEA3, we couldn't see that this is exploitable." This doesnâ(TM)t mean someone else might not find something in it he says, but he'd "be very surprised if it leads to an attack that's practical."

            That just makes me want to dig. :-) They're giving a talk at Black Hat [blackhat.com] on August 9th.

            [1] - Gregor Leander, a professor of computer science and cryptographer with a security research team known as CASA at Ruhr University Bochum in Germany.

  • Great! My HackRF will be set up to do this as soon as possible! (not /s)
  • by Miles_O'Toole ( 5152533 ) on Monday July 24, 2023 @03:59PM (#63712324)

    It's not a bug, it's a feature! And if I wanted to bet on how this "feature" got so thoroughly entrenched in the cybersecurity universe, my money would be on one of those Israeli companies that seem to have a finger in every security pie in the so-called "free world".

  • by Anonymous Coward
    They held onto this for 18 months so that all the stupid agencies could change their practices. They should have released the information with full exploits immediately.
    • They held onto this for 18 months so that all the stupid agencies could change their practices. They should have released the information with full exploits immediately.

      Agreed.

      • They held onto this for 18 months so that all the stupid agencies could change their practices.

        18 months is nowhere near enough time for them to replace that amount of equipment, and most would need to be replaced. My better half worked as a civilian crime analyst for a local PC for about 10 years and I was frequently shocked at the specs of the equipment they were expected to use. Equipment so old that I would have long ago scrapped it as it was beyond even flogging on eBay. Not to mention, completely worn out.
        In these times of "Defund the police" they will never get the funding for a project thi

    • They held onto this for 18 months so that all the stupid agencies could change their practices. They should have released the information with full exploits immediately.

      If they'd done that, they'd have been branded black hats or terrorists, and wouldn't be around to bring you more discoveries over the next several years.

    • by mysidia ( 191772 )

      They should have released the information with full exploits immediately.

      Then aforementioned 'dumb agencies' would retaliate against them, and they'd have racked up millions in legal fees if they wanted to defend the criminal lawsuits.

  • who put it there.
  • Oh god, this is the An0m phone story again, but with the roles reversed.

    The An0m phone was supposedly a secret encrypted criminal communications network just for insiders who could get their hands on the special phone. You entered a particular sequence of button presses into the Calculator app to launch the secret messaging tool. Meanwhile, the FBI got a copy of everything actually sent on the network.

    Now we have law enforcement that's supposed to get all this special secure gear just for their own use, b

  • One time on one of my occasional visits to etsi, a guy from SAGE (the ones who produce the back doored crypto for all the etsi specs) presented the "AES base protocol" proposal that was asked for by 3GPP.

    I shit you not, the ICV was 16 bits.

    After the meeting, I caught the guy outside and asked why it was 16 bits and his response was a Gallic shrug and "Zat eez what zey asked for".
    So the fix was in and GSM was doomed to remain insecure.

  • Encryption (Score:5, Interesting)

    by p51d007 ( 656414 ) on Monday July 24, 2023 @04:35PM (#63712392)
    The sheriff I worked for many years ago FORBID anyone but his detectives using encrypted radios. He said the regular patrol deputies would not be allowed to use the encryption, unless they were talking to an undercover or detective. When asked why he said the PUBLIC has a right to know what we are doing, and I'm making sure they can here what we do and have nothing to hide.
  • I'm going to DEFCON but frankly can't justify the entry price for Blackhat. Is there some other way to get their presentation? If not, I'm sure I can buy someone who attends both conferences a few beers and he'll tell me about it.
    • I'm going to DEFCON but frankly can't justify the entry price for Blackhat. Is there some other way to get their presentation? If not, I'm sure I can buy someone who attends both conferences a few beers and he'll tell me about it.

      Just be sure you pay for those beers with cash. :)

    • Their website [midnightblue.nl] says they'll be presenting at DEFCON on 13 August. And for those unaware, both Blackhat and DEFCON have Youtube channels that post most (all?) conference videos a few months after the fact.
  • > The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute.

    GOP: "That means Hunter probably got into it. Lockim up!"

  • So this is like the 80-bit for export standard, with the initial mozilla browsers that used a trivial seed.

    It even says its for export use.

    Seems most "users" would have at least upgraded to a 128-bit or higher version, but this standard is ~20 years old. Who still uses an 80-bit encryption with the time/date stamp as a seed?

    • >Who still uses an 80-bit encryption with the time/date stamp as a seed?

      Police departments blowing their budget on traffic duty OT, body armour, and assault rifles instead of comms.

      In fact, plenty of police departments in my region were still completely unencrypted a few years ago (the last time I bothered to check). Some of them had one encrypted channel (not their primary) with everything else in the clear.

      • In fact, plenty of police departments in my region were still completely unencrypted a few years ago (the last time I bothered to check). Some of them had one encrypted channel (not their primary) with everything else in the clear.

        Ahm, isn't this how it's supposed to be? I mean... they aren't doing anything illegal there that needs hiding, are they?

        • They actually do have a legitimate reason for encrypted comms - it was pretty easy back in the day to break into a home and then listen to the dispatch channel for a police response. The bigger the crime, the more likely a criminal would invest in a scanner to help them evade the police.

          Tow companies also use scanners to get to accident scenes before the cops. Sounds like a good thing - getting cars out of the way of traffic - except that it leads to predatory tow companies driving dangerously to get the

          • Every example you cited can - and should - be solved differently.

            The burglary part for instance is an example of "don't tip the bad guys off", available in several variations. What it doesn't account for is that that scenario only occurs in few cases (e.g. when the bad guys obviously tripped an alarm, and there ia nobody else around to respond, e.g. neighbors or private security).

            I don't think that crucial interests of the public should have to dance around the "limitation of the day" of law enforcement. In

  • Another Crypto AG? (Score:4, Insightful)

    by schwit1 ( 797399 ) on Monday July 24, 2023 @06:29PM (#63712574)

    Assume any closed source encryption standard has a backdoor.

  • ... how reliable radio encryption is anyway. A couple of our local police forces switched to encrypted digital[1]. And then switched the encryption back off again. Their radios had trouble establishing connections. And then there's that dangerous F-22 Raptor mission, resulting it it's first kill[2]. Which was broadcast in the clear and captured by someone with a scanner.

    [1] Possibly for presidential visits. To comply with Secret Service interoperability requirements.

    [2] A balloon.

  • Midnight blue url (Score:5, Informative)

    by Schoenlepel ( 1751646 ) on Monday July 24, 2023 @09:08PM (#63712704)

    Why hasn't anyone looked up the guys who discovered this yet? Anyway, here's the link to some actually interesting information [midnightblue.nl] regarding this.

  • How long before someone makes a GNURadio script that does this? That person would be legendary.
  • I wouldn't call this a back-door. It's more of a front door: the explicit intent of limiting the strength of export-grade encryption was to allow easy decryption. The authorities tried their best to pretend only they would be decrypting things, but math doesn't work that way. So TEA1 ends up in the same bin as single-DES as intended and everybody knows it.

  • never the purpose (Score:4, Insightful)

    by cstacy ( 534252 ) on Monday July 24, 2023 @10:43PM (#63712772)

    The police radios were never designed to be secure: just difficult enough to obscure the communications from interception by the public (including the criminal public). Now it's been a few decades, and your iWatch can break the security. That just means it's time to upgrade the hardware. That the (federal) government had put a backdoor to the (local) government walky-talkies that they insisted everyone use, is that supposed to be a big surprise? To anyone? The manufacturer has admitted it's a feature, not a bug. (Well, there's bugs, too. I mean besides the radios being bugs!)

  • ...it seems to me this is exactly the reason for export controls.

  • Wouldn't it be interesting if the unlicensed prepper choice of radios--all went silent in an emergency?

    I suspect that during any emergency, the unlicensed preppers would foul up both RACES and ARES--and it was all made possible to Amazon, who doesn't give a rat's ass who they sell a radio to.
  • by Anonymous Coward

    I am the public safety radio engineer for a fairly large city, and I was always under the impression that our P.25 radios used AES-256 encryption. Are these a different type of radio? Or do I need to be worried about our systems? Honest question.

    • by sabbede ( 2678435 ) on Tuesday July 25, 2023 @11:51AM (#63713744)
      This seems to be an article about obsolete radio hardware wrapped up in sensational nonsense about secret backdoors that were actually the well-known export restrictions.

      TETRA appears to be the EU version of P25, somewhat more popular, and like P25 it has had plenty of cryptographic updates over the years. P25 can do AES265, so can TETRA.

      So, why did we all waste our time reading about how obsolete encryption on obsolete hardware is vulnerable?

      • So no worries for P25 users? I understand different frequency bands in use, but same principles? So just a matter of time til it gets broken too?
        • I'd assume the same principles given that they do the same thing in the same basic way. And outdated might be more likely/appropriate than proper "broken", but cryptography is a Red Queen's Race so yeah, it will have to be upgraded. Eventually. As TETRA has been, and will be again.

          The real concern, in my possibly worthless estimation, would be for African cities using third-hand radios in areas where there are or may soon be wars. Exploiting the weak cryptography to cause chaos for emergency services

      • Look at Schoenlepel's comment. He links the actual article by the people who did the research - it's not as simple as you think.

  • ...obsolete? Vulnerable to laptops? I'm shocked!

    Why did they bother?

New crypt. See /usr/news/crypt.

Working...